Gmail and Yahoo's sender requirements, explained

In February 2024, Gmail and Yahoo turned email authentication from a best practice into an entry ticket. Senders who don't meet their requirements see mail throttled, sent to spam, or rejected outright. If your company sends marketing emails, newsletters, receipts or notifications, this changed the rules for you. This guide explains exactly what's required, who's affected, and how to get compliant — and why compliance is only the floor.

What changed, and why

Gmail and Yahoo each deliver to billions of inboxes, so their policies effectively set the standard for the whole industry. Tired of carrying the cost of unauthenticated and abusive mail, they aligned on a shared set of requirements for bulk senders — and began enforcing them. The headline: if you send at volume, you must prove who you are with SPF, DKIM and DMARC, or your mail won't reliably land.

Who is affected

The strictest rules target bulk senders — defined by Google as those sending roughly 5,000 or more messages per day to Gmail addresses. Yahoo uses similar language without a hard public number. A few things to understand:

• The threshold is about volume to their users, and once you cross it, both providers treat you as a bulk sender essentially permanently.
• It's measured across your domain, so all your sending — marketing, transactional, internal tools — counts together.
• Even below the threshold, the baseline expectations (authenticate your mail, don't spam) increasingly apply. The safe assumption today is that every serious sender needs SPF, DKIM and DMARC.

The requirements, point by point

For bulk senders, the shared checklist is:

1. SPF and DKIM both configured for your sending domain — not one or the other. DKIM in particular must be valid and signing your mail.
2. A DMARC record published, at minimum p=none. This is the explicit, named requirement that caught many teams off guard: no DMARC record at all means non-compliant.
3. Alignment — the domain in your From: must align with SPF or DKIM. A passing-but-unaligned setup doesn't satisfy DMARC, and therefore doesn't satisfy the requirement. (If "alignment" is fuzzy, see how SPF, DKIM and DMARC work together.)
4. One-click unsubscribe (RFC 8058) in marketing mail, honored within two days.
5. A low spam-complaint rate — keep it under 0.3%, ideally well below 0.1%.
6. Valid forward-confirmed reverse DNS (PTR) for your sending IPs, and TLS for transport.

Items 1–3 are the email-authentication core, and they're where most non-compliance lives. The good news: they're exactly what you should have done anyway.

"We have a DMARC record" is not the finish line

A lot of teams reacted to the 2024 deadline by publishing a bare p=none record and calling it done. That clears the letter of the requirement — but it's worth understanding what it does and doesn't buy you.

p=none means monitor only. It satisfies Gmail and Yahoo's minimum, and it starts the flow of aggregate reports you need. But it provides zero protection against spoofing: someone forging your domain still reaches inboxes, because you've told receivers to do nothing on failure. Compliance at p=none is the floor, not the goal.

The real objective is p=reject, where unauthenticated mail in your name is actually refused. That's both stronger security and a stronger deliverability signal — mailbox providers trust enforcing domains more. The path there is the same disciplined sequence regardless of the compliance deadline: inventory your senders, align them, then ramp the policy. We lay it out in how to get to p=reject without breaking email.

How to get compliant (and then protected)

A practical order of operations:

1. Check where you stand. Run your domain through our free analyzer to see whether SPF, DKIM and DMARC exist and align — and get a grade. This tells you in seconds whether you'd pass the Gmail/Yahoo checks.
2. Fix the basics. Publish SPF listing your real senders; enable DKIM signing on every platform; publish a DMARC record with a rua= address so reports start flowing.
3. Read the reports. They reveal every source sending as you — the ones you must align before tightening.
4. Align every legitimate sender, then move the policy from none to quarantine to reject.
5. Keep the hygiene up — one-click unsubscribe, low complaint rates, clean lists. Authentication gets you in the door; behavior keeps you there.

A note for regulated industries

If you're in finance, healthcare or another regulated sector, the Gmail/Yahoo rules are only one of several forces pushing the same direction. Frameworks like NIS2 and DORA raise the bar on operational and anti-phishing controls, and email authentication is an obvious, auditable control to point to. Treat the 2024 sender requirements as the visible tip of a broader shift: enforced DMARC is becoming the expected baseline, not the exception. You can see how far entire sectors have come in our DMARC Observatory.

Frequently asked questions

Do transactional emails count toward the 5,000-a-day threshold? Yes. Google counts all mail to Gmail users from your domain — marketing, receipts, alerts, internal notifications — together. There is no transactional exemption, and most domains underestimate their true volume.

We send fewer than 5,000 a day. Are we exempt? From the strictest bulk rules, for now. But the baseline expectations — authenticate with SPF and DKIM, publish DMARC, keep complaint rates low — increasingly apply to everyone, and crossing the threshold even once flips you into bulk-sender treatment essentially for good. The safe move is to authenticate regardless of volume.

Does this apply to subdomains? Yes. Authenticate every subdomain you actually send from, and set your DMARC sp (subdomain policy) so subdomains aren't left open to spoofing while your root is locked down.

We send through a shared platform like Mailchimp or SendGrid. Are we covered? Only if you've configured aligned DKIM with your own domain on that platform. A shared platform's default signing is aligned to the platform, not to you, so it won't satisfy DMARC. Set up the branded signing domain the provider offers — usually a couple of CNAME records.

How quickly do we need to comply? The requirements are already being enforced. If your mail is getting throttled or sent to spam at Gmail or Yahoo, weak or unaligned authentication is the first thing to check — start with a free analysis.

Let Marc handle the path

Meeting the requirement is quick; reaching real protection without breaking your mail flow is the work — and it's exactly what Marc, the DMARC copilot, automates. He finds every sender from your reports, generates the precise SPF, DKIM and DMARC records to publish, and walks you from a bare p=none to a safe p=reject.

Analyze your domain free → or create an account to get compliant and protected. New here? Start with what is DMARC.